News

Microsoft: No Security Patches in December

• By Scott Bekker
• December 10, 2003

Microsoft found no security problems serious enough to fix in December. Microsoft's new patch policy calls for all patches to be released on the second Tuesday of the month. The company announced Tuesday that it was letting the regular patching date pass without any new security bulletins and patches.

While Microsoft holds open the possibility of delivering an emergency patch before the next patch date (Jan. 13), it is unlikely that the company will issue any more security patches this year.

The grand total number of security bulletins for 2003 was 51, a significant drop from the total of 72 in 2002 and less than Microsoft's totals for 2001 (60), 2000 (100) and 1999 (61). Straight comparison are clouded by Microsoft's practice in recent years of regularly fixing more than one security vulnerability in a single security patch.

Microsoft started its new monthly program in October, in an effort to give administrators a predictable date that they could plan in advance to set aside for patching and to give IT more time between patches. Prior to the monthly program, Microsoft had been putting out patches on Wednesdays, with rare exceptions.

The October bundle of patches included five patches for Windows and two patches for Office. The November patch bundle consisted of four patches, one fixing five flaws in Internet Explorer, one fixing problems in Windows, another addressing a flaw in FrontPage Server Extensions and one fixing an issue with Word and Excel. Since instituting the policy in October, Microsoft has not released any security bulletins outside of the monthly bundle.